Efficient Network Security Policy Enforcement With Policy Space Analysis

Abstract— Network operators rely on security services to protect their IT infrastructures. Different kinds of network security policies are defined globally and distributed among multiple security middle boxes deployed in networks.However,due to the complexity of security policy, it is inefficient to directly employ existing path-wise enforcement approaches. This paper models the enforcement of network security policy as the set-vering problem,and designs a computational-geometry-based policy space analysis (PSA) tool for set operations of security policy.Leveraging the PSA,this paper first investigates the topological characteristics of different types of policies.This heuristic information reveals intrinsic complexities of security policy and guides the design of our enforcement approach. Then the paper proposes a scope -wise policy enforcement algorithm that selects a modest number of enforcement network nodes to deploy multiple policy subsets in a greedy manner.This approach can be employed on network topologies of both data center and service provider. The efficiencies of the PSA tool and the enforcement algorithm reals evaluated.Compared with the header space analysis, the PSA achieves much better memory and time efficiencies on set operations of security policy. Additionally, the proposed enforcement algorithm is able to guarantee network security within a reasonable number of enforcement network nodes,without introducing many extra rules < final year projects >